# Pomerium Console Environment Variables
The keys listed below can be applied in Pomerium Console's config.yaml file, or applied as environment variables (in uppercase, replacing - with _).
| Name | Description | Default Value |
|---|---|---|
| #administrators | A list of user ids, names or emails to make administrators. Useful for bootstrapping. | none |
| #audience | A list of audiences for verifying the signing key. | [] |
| #authenticate-service-url | URL for the Authenticate Service. Required for Device Registration. | none |
| #bind-addr | The address the Pomerium Console will listen on. | :8701 |
| #customer-id | The customer ID | none |
| #database-encryption-key | The base64-encoded encryption key for encrypting sensitive data in the database. | none |
| #database-url | The database Pomerium Enterprise Console will use. | postgresql://pomerium:pomerium@localhost:5432/dashboard?sslmode=disable |
| #databroker-service-url | The databroker service URL. | http://localhost:5443 |
| #debug-config-dump | Dumps the Databroker configuration. This is a debug option to be used only when specified by Pomerium Support. | false |
| #disable-remote-diagnostics | Disable remote diagnostics. | true |
| #disable-validation | Disable config validation. | false |
| #grpc-addr | The address to listen for gRPC on. | :8702 |
| #help | help for serve | false |
| #license-key | Required: Provide the license key issued by your account team. | none |
| #override-certificate-name | Overrides the certificate name used for the databroker connection. | none |
| #prometheus-data-dir | The path to Prometheus data | none |
| #prometheus-listen-addr | When set, embedded Prometheus listens at this address. Set as host:port | 127.0.0.1:9090 |
| #prometheus-scrape-interval | The Prometheus scrape frequency | 10s |
| #prometheus-url | The URL to access the Prometheus metrics server. | none |
| #shared-secret | The base64-encoded secret for signing JWTs, shared with OSS Pomerium. | none |
| #signing-key | base64-encoded signing key (public or private) for verifying JWTs. This option is deprecated in favor of authenticate-service-url. | none |
| #tls-ca | base64-encoded string of tls-ca | none |
| #tls-ca-file | file storing tls-ca | none |
| #tls-cert | base64-encoded string of tls-cert | none |
| #tls-cert-file | file storing tls-cert | none |
| #tls-insecure-skip-verify | Disable remote hosts TLS certificate chain and hostname checks. | false |
| #tls-key | base64-encoded string of tls-key | none |
| #tls-key-file | file storing tls-key | none |
| #use-static-assets | When false, forward static requests to localhost:3000. | true |